Description
This article provides the solution to block a traffic from particular country.
Scope
FortiGate.
Solution
- Create a geographical based address object.
- Go to Policy and Objects -> Addresses, select 'Create New' and fill as below:
Name: country name.Example: China.
Type: Geography.
Interface: wan1.
Enable Show in 'Address List' and select 'OK'.
- Create a WANto lan policy with the source address as the country for which the geo address object is created. In this case:
Source: China.
Destination: all
If in case any VIP policies exist, Keep the policy above VIP policies.
- However, still The incoming traffic will hit to normal VIP policies.
- Make the below changes in that policy in CLI.
conf firewall policy
edit <firewall policy number>
set match-vip enable
- Now traffic from China country will be blocked.
The second solution is to create a local policy for the traffic coming from China. Select Local-in-policy from the GUI and create new:
In CLI:
config firewall local-in-policy
edit 1
set uuid fb3ffa72-749c-51ef-9bec-48282427934a
set intf "port1"
set srcaddr "China"
set dstaddr "all"
set service "ALL"
set schedule "always"
next
end
Related articles:
